In a communication network, hosts communicate by sending and receiving packets to each other. This communication may include many different types of physical medium including short copper wires and long geosynchronous satellite links. Network devices which transport packets typically operate transparently from the end hosts so that network devices may be added and removed without modifying the host users of the network.
It is often desirable to secure data from unauthorized persons who may be attempting to eavesdrop on the data. Defense networks may contain potentially damaging military information. Users of public networks may transmit personal or financial data which may be exploited for criminal use.
Encryption is a useful technique to provide security in a public communication network. The sender encrypts data making the data unavailable to potential interceptors and the receiver decrypts the data recovering the original message. Network encryption may occur at various levels throughout the OSI stack including link layer (layer 2), such as classic ATM encryptors; the transport layer (layer 4), such as Secure Socket Layer; or IP network layer (layer 3), such as High Assurance Internet Protocol Encryption (HAIPE). HAIPE is used by the Department of Defense and is based on Internet Protocol Security (IPsec), a standard defined by the Internet Engineering Task Force (IETF). HAIPE devices provide cryptographic isolation between private networks, referred to as secured security enclaves in the HAIPE terminology. When the data is encrypted, upper layer protocol headers such as TCP and secure enclave IP addresses are converted to cipher text and rendered unavailable in the shared transit network. Network security specialists refer to the secure network as Plain Text or red and the transit, encrypted network as Cipher Text or black.
In a network containing high latency, dynamic bandwidth links, protocol acceleration techniques have been shown to be useful, especially for TCP. One popular technique is the spoofing of network data with a protocol enhancing proxy (PEP). The PEP may employ a protocol optimized for satellite links such as Space Communication Protocol Standards Transport Layer (SCPS-TP) or Xpress Transport Protocol (XTP). For a PEP to work well over a dynamic bandwidth link, the current bandwidth available over the backbone link must be known.
Currently, the network device which knows the current bandwidth resides in the encrypted network since it must be the last device without an RF interface. However, for the PEP software to work it must have access to upper layer header information and so must reside in the unencrypted network. Thus, the PEP typically could not be used with IP layer encryptors because the PEP did not receive bandwidth information across the cryptographic boundary. Signaling the bandwidth data across the cryptographic boundary is the problem which is addressed in the current disclosure.